How to fix CVE-2026-39320?

Within 24 hours: Inventory all Signal K Server deployments and document current versions. Within 7 days: Upgrade all instances to Signal K Server version 2.25.0 or later and validate functionality post-deployment. Within 30 days: Implement network segmentation to restrict WebSocket access to trusted sources and enable monitoring for malformed subscription requests as a compensating control during any transition period.

Is Signal K Server affected by CVE-2026-39320?

Signal K Server versions before 2.25.0 contain a regular expression denial of service vulnerability that allows unauthenticated attackers to completely disable the server through crafted WebSocket requests, directly impacting maritime vessel monitoring and safety operations.

Signal K Server CVE-2026-39320

EUVD-2026-24021 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-04-21 GitHub_M

GHSA-7gcj-phff-2884

Denial Of Service Node.js

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 16:22 vuln.today

cvss_changed

Patch available

Apr 21, 2026 - 02:01 EUVD

Analysis Generated

Apr 21, 2026 - 01:23 vuln.today

DescriptionNVD

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.

AnalysisAI

Signal K Server versions before 2.25.0 allow remote unauthenticated attackers to crash the server via Regular Expression Denial of Service (ReDoS) in WebSocket subscription handling. By injecting unescaped regex metacharacters into the context parameter, attackers trigger catastrophic backtracking that consumes 100% CPU and renders the server completely unresponsive to all API and socket requests. …

RemediationAI

Within 24 hours: Inventory all Signal K Server deployments and document current versions. Within 7 days: Upgrade all instances to Signal K Server version 2.25.0 or later and validate functionality post-deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39320 vulnerability details – vuln.today

Back

Signal K Server CVE-2026-39320

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code